From 86ebc1a6a289ffd7b46850bc3307d83890ec2415 Mon Sep 17 00:00:00 2001 From: Mauro Torrez Date: Fri, 16 Dec 2022 19:26:42 -0300 Subject: [PATCH] Disable SMTPUTF8 by default --- Dockerfile | 71 ++++++++++++++------------- confd/conf.d/setup_main.toml | 37 +++++++------- confd/conf.d/setup_milter.toml | 6 +-- confd/conf.d/setup_postscreen.toml | 8 +-- confd/templates/setup_main.tmpl | 37 +++++++------- confd/templates/setup_milter.tmpl | 6 +-- confd/templates/setup_postscreen.tmpl | 4 +- 7 files changed, 86 insertions(+), 83 deletions(-) diff --git a/Dockerfile b/Dockerfile index 314fb09..640d821 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,41 +3,27 @@ LABEL maintainer "Mauro Torrez " ARG DEBIAN_FRONTEND=noninteractive ENV LC_ALL C -ENV MYDESTINATION="localhost.localdomain, localhost" -ENV MYHOSTNAME=mail.example.com -ENV MYDOMAIN=example.com -ENV MYNETWORKS="" -ENV MYNETWORKS_STYLE=class -ENV VIRTUAL_ALIAS_MAPS= -ENV VIRTUAL_MAILBOX_MAPS= -ENV VIRTUAL_TRANSPORT=lmtp:dovecot:24 -ENV VIRTUAL_MAILBOX_DOMAINS=example.com -ENV SMTPD_SASL_PATH=inet:dovecot:12345 -ENV SMTPD_SASL_TYPE=dovecot -ENV SMTPD_SASL_AUTH_ENABLE=no -ENV SMTPD_TLS_CERT_FILE=/ssl/cert.pem -ENV SMTPD_TLS_KEY_FILE=/ssl/key.pem -ENV SMTP_TLS_SECURITY_LEVEL=may -ENV SMTPD_TLS_SECURITY_LEVEL=may -ENV SMTPD_TLS_AUTH_ONLY=no -ENV SMTPD_TLS_SESSION_CACHE_DATABASE="btree:\${data_directory}/smtpd_scache" -ENV SMTPD_CLIENT_RESTRICTIONS="check_client_access pcre:/etc/postfix/rules/client_access_list, permit_sasl_authenticated, permit_mynetworks, reject_unknown_client_hostname, reject_unauth_pipelining, permit" -ENV SMTPD_DATA_RESTRICTIONS="reject_unauth_pipelining, permit" -ENV SMTPD_HELO_RESTRICTIONS="check_helo_access hash:/etc/postfix/rules/helo_access_list, permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, warn_if_reject, permit" -ENV SMTPD_RELAY_RESTRICTIONS="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit" -ENV SMTPD_RECIPIENT_RESTRICTIONS="check_recipient_access hash:/etc/postfix/rules/recipient_access_list, permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, permit" -ENV MESSAGE_SIZE_LIMIT=31457280 -ENV SMTPD_HELO_REQUIRED=yes ENV BIFF=no -ENV SUBMISSION_ENABLE=no -ENV POSTSCREEN_ENABLE=no +ENV BOGOFILTER_ENABLE="yes" +ENV BOGOFILTER_HAM_CUTOFF="0.499999" +ENV BOGOFILTER_SPAM_CUTOFF="0.499999" +ENV INTERNAL_MAIL_FILTER_CLASSES=bounce +ENV MESSAGE_SIZE_LIMIT=31457280 +ENV MILTER_DEFAULT_ACTION=accept +ENV MYDESTINATION="localhost.localdomain, localhost" +ENV MYDOMAIN=example.com +ENV MYHOSTNAME=mail.example.com +ENV MYNETWORKS_STYLE=class +ENV MYNETWORKS="" +ENV NON_SMTPD_MILTERS="\$smtpd_milters" ENV POSTSCREEN_ACCESS_LIST="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks" -ENV POSTSCREEN_DNSBL_SITES="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4" -ENV POSTSCREEN_DNSBL_REPLY_MAP="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre" ENV POSTSCREEN_BLACKLIST_ACTION="drop" ENV POSTSCREEN_DNSBL_ACTION="enforce" +ENV POSTSCREEN_DNSBL_REPLY_MAP="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre" +ENV POSTSCREEN_DNSBL_SITES="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4" ENV POSTSCREEN_DNSBL_THRESHOLD="3" ENV POSTSCREEN_DNSBL_WHITELIST_THRESHOLD="-1" +ENV POSTSCREEN_ENABLE=no ENV POSTSCREEN_GREET_ACTION="enforce" ENV RELAYHOST="" ENV SMTP_FALLBACK_RELAY="" @@ -48,14 +34,29 @@ ENV SMTP_TLS_CAFILE="" ENV SMTP_TLS_MANDATORY_PROTOCOLS="" ENV SMTP_TLS_NOTE_STARTTLS_OFFER="" ENV SMTP_TLS_SECURITY_LEVEL="" +ENV SMTP_TLS_SECURITY_LEVEL=may ENV SMTP_TLS_SESSION_CACHE_DATABASE="" +ENV SMTPD_CLIENT_RESTRICTIONS="check_client_access pcre:/etc/postfix/rules/client_access_list, permit_sasl_authenticated, permit_mynetworks, reject_unknown_client_hostname, reject_unauth_pipelining, permit" +ENV SMTPD_DATA_RESTRICTIONS="reject_unauth_pipelining, permit" +ENV SMTPD_HELO_REQUIRED=yes +ENV SMTPD_HELO_RESTRICTIONS="check_helo_access hash:/etc/postfix/rules/helo_access_list, permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, warn_if_reject, permit" ENV SMTPD_MILTERS="" -ENV NON_SMTPD_MILTERS="\$smtpd_milters" -ENV MILTER_DEFAULT_ACTION=accept -ENV INTERNAL_MAIL_FILTER_CLASSES=bounce -ENV BOGOFILTER_ENABLE="yes" -ENV BOGOFILTER_HAM_CUTOFF="0.499999" -ENV BOGOFILTER_SPAM_CUTOFF="0.499999" +ENV SMTPD_RECIPIENT_RESTRICTIONS="check_recipient_access hash:/etc/postfix/rules/recipient_access_list, permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, permit" +ENV SMTPD_RELAY_RESTRICTIONS="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit" +ENV SMTPD_SASL_AUTH_ENABLE=no +ENV SMTPD_SASL_PATH=inet:dovecot:12345 +ENV SMTPD_SASL_TYPE=dovecot +ENV SMTPD_TLS_AUTH_ONLY=no +ENV SMTPD_TLS_CERT_FILE=/ssl/cert.pem +ENV SMTPD_TLS_KEY_FILE=/ssl/key.pem +ENV SMTPD_TLS_SECURITY_LEVEL=may +ENV SMTPD_TLS_SESSION_CACHE_DATABASE="btree:\${data_directory}/smtpd_scache" +ENV SMTPUTF8_ENABLE="no" +ENV SUBMISSION_ENABLE=no +ENV VIRTUAL_ALIAS_MAPS= +ENV VIRTUAL_MAILBOX_DOMAINS=example.com +ENV VIRTUAL_MAILBOX_MAPS= +ENV VIRTUAL_TRANSPORT=lmtp:dovecot:24 # TODO: template access lists diff --git a/confd/conf.d/setup_main.toml b/confd/conf.d/setup_main.toml index e8c0822..37c7f06 100644 --- a/confd/conf.d/setup_main.toml +++ b/confd/conf.d/setup_main.toml @@ -3,30 +3,31 @@ src = "setup_main.tmpl" dest = "/start.d/setup_main" mode = "0755" keys = [ +"/biff", +"/message/size/limit", "/mydestination", -"/myhostname", "/mydomain", +"/myhostname", "/mynetworks", "/mynetworks/style", -"/virtual/alias/maps", -"/virtual/mailbox/maps", -"/virtual/transport", -"/virtual/mailbox/domains", -"/smtpd/sasl/path", -"/smtpd/sasl/type", -"/smtpd/sasl/auth/enable", -"/smtpd/tls/cert/file", -"/smtpd/tls/key/file", "/smtp/tls/security/level", -"/smtpd/tls/security/level", -"/smtpd/tls/auth/only", -"/smtpd/tls/session/cache/database", "/smtpd/client/restrictions", "/smtpd/data/restrictions", -"/smtpd/helo/restrictions", -"/smtpd/relay/restrictions", -"/smtpd/recipient/restrictions", -"/message/size/limit", "/smtpd/helo/required", -"/biff", +"/smtpd/helo/restrictions", +"/smtpd/recipient/restrictions", +"/smtpd/relay/restrictions", +"/smtpd/sasl/auth/enable", +"/smtpd/sasl/path", +"/smtpd/sasl/type", +"/smtpd/tls/auth/only", +"/smtpd/tls/cert/file", +"/smtpd/tls/key/file", +"/smtpd/tls/security/level", +"/smtpd/tls/session/cache/database", +"/smtputf8/enable", +"/virtual/alias/maps", +"/virtual/mailbox/domains", +"/virtual/mailbox/maps", +"/virtual/transport", ] diff --git a/confd/conf.d/setup_milter.toml b/confd/conf.d/setup_milter.toml index 510bd9f..aa76307 100644 --- a/confd/conf.d/setup_milter.toml +++ b/confd/conf.d/setup_milter.toml @@ -3,8 +3,8 @@ src = "setup_milter.tmpl" dest = "/start.d/setup_milter" mode = "0755" keys = [ -"/smtpd/milters", -"/non/smtpd/milters", -"/milter/default/action", "/internal/mail/filter/classes", +"/milter/default/action", +"/non/smtpd/milters", +"/smtpd/milters", ] diff --git a/confd/conf.d/setup_postscreen.toml b/confd/conf.d/setup_postscreen.toml index f15cb00..b26c6f4 100644 --- a/confd/conf.d/setup_postscreen.toml +++ b/confd/conf.d/setup_postscreen.toml @@ -3,14 +3,14 @@ src = "setup_postscreen.tmpl" dest = "/start.d/setup_postscreen" mode = "0755" keys = [ -"/postscreen/enable", +"/bogofilter/enable", "/postscreen/access/list", "/postscreen/blacklist/action", -"/postscreen/dnsbl/sites", -"/postscreen/dnsbl/reply/map", "/postscreen/dnsbl/action", +"/postscreen/dnsbl/reply/map", +"/postscreen/dnsbl/sites", "/postscreen/dnsbl/threshold", "/postscreen/dnsbl/whitelist/threshold", +"/postscreen/enable", "/postscreen/greet/action", -"/bogofilter/enable", ] diff --git a/confd/templates/setup_main.tmpl b/confd/templates/setup_main.tmpl index fa430be..e148109 100644 --- a/confd/templates/setup_main.tmpl +++ b/confd/templates/setup_main.tmpl @@ -33,32 +33,33 @@ postconf maillog_file=/dev/stdout postconf alias_maps=hash:/etc/aliases +{{ with getv "/biff" }}postconf biff='{{.}}'{{ end }} +{{ with getv "/message/size/limit" }}postconf message_size_limit='{{.}}'{{ end }} {{ with getv "/mydestination" }}postconf mydestination='{{.}}'{{ end }} -{{ with getv "/myhostname" }}postconf myhostname='{{.}}'{{ end }} {{ with getv "/mydomain" }}postconf mydomain='{{.}}'{{ end }} +{{ with getv "/myhostname" }}postconf myhostname='{{.}}'{{ end }} {{ with getv "/mynetworks" }}postconf mynetworks='{{.}}'{{ end }} {{ with getv "/mynetworks/style" }}postconf mynetworks_style='{{.}}'{{ end }} -{{ with getv "/virtual/alias/maps" }}postconf virtual_alias_maps='{{.}}'{{ end }} -{{ with getv "/virtual/mailbox/maps" }}postconf virtual_mailbox_maps='{{.}}'{{ end }} -{{ with getv "/virtual/transport" }}postconf virtual_transport='{{.}}'{{ end }} -{{ with getv "/virtual/mailbox/domains" }}postconf virtual_mailbox_domains='{{.}}'{{ end }} -{{ with getv "/smtpd/sasl/path" }}postconf smtpd_sasl_path='{{.}}'{{ end }} -{{ with getv "/smtpd/sasl/type" }}postconf smtpd_sasl_type='{{.}}'{{ end }} -{{ with getv "/smtpd/sasl/auth/enable" }}postconf smtpd_sasl_auth_enable='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/cert/file" }}postconf smtpd_tls_cert_file='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/key/file" }}postconf smtpd_tls_key_file='{{.}}'{{ end }} {{ with getv "/smtp/tls/security/level" }}postconf smtp_tls_security_level='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/security/level" }}postconf smtpd_tls_security_level='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/auth/only" }}postconf smtpd_tls_auth_only='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/session/cache/database" }}postconf smtpd_tls_session_cache_database='{{.}}'{{ end }} {{ with getv "/smtpd/client/restrictions" }}postconf smtpd_client_restrictions='{{.}}'{{ end }} {{ with getv "/smtpd/data/restrictions" }}postconf smtpd_data_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/helo/restrictions" }}postconf smtpd_helo_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/relay/restrictions" }}postconf smtpd_relay_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/recipient/restrictions" }}postconf smtpd_recipient_restrictions='{{.}}'{{ end }} -{{ with getv "/message/size/limit" }}postconf message_size_limit='{{.}}'{{ end }} {{ with getv "/smtpd/helo/required" }}postconf smtpd_helo_required='{{.}}'{{ end }} -{{ with getv "/biff" }}postconf biff='{{.}}'{{ end }} +{{ with getv "/smtpd/helo/restrictions" }}postconf smtpd_helo_restrictions='{{.}}'{{ end }} +{{ with getv "/smtpd/recipient/restrictions" }}postconf smtpd_recipient_restrictions='{{.}}'{{ end }} +{{ with getv "/smtpd/relay/restrictions" }}postconf smtpd_relay_restrictions='{{.}}'{{ end }} +{{ with getv "/smtpd/sasl/auth/enable" }}postconf smtpd_sasl_auth_enable='{{.}}'{{ end }} +{{ with getv "/smtpd/sasl/path" }}postconf smtpd_sasl_path='{{.}}'{{ end }} +{{ with getv "/smtpd/sasl/type" }}postconf smtpd_sasl_type='{{.}}'{{ end }} +{{ with getv "/smtpd/tls/auth/only" }}postconf smtpd_tls_auth_only='{{.}}'{{ end }} +{{ with getv "/smtpd/tls/cert/file" }}postconf smtpd_tls_cert_file='{{.}}'{{ end }} +{{ with getv "/smtpd/tls/key/file" }}postconf smtpd_tls_key_file='{{.}}'{{ end }} +{{ with getv "/smtpd/tls/security/level" }}postconf smtpd_tls_security_level='{{.}}'{{ end }} +{{ with getv "/smtpd/tls/session/cache/database" }}postconf smtpd_tls_session_cache_database='{{.}}'{{ end }} +{{ with getv "/smtputf8/enable" }}postconf smtputf8_enable='{{.}}'{{ end }} +{{ with getv "/virtual/alias/maps" }}postconf virtual_alias_maps='{{.}}'{{ end }} +{{ with getv "/virtual/mailbox/domains" }}postconf virtual_mailbox_domains='{{.}}'{{ end }} +{{ with getv "/virtual/mailbox/maps" }}postconf virtual_mailbox_maps='{{.}}'{{ end }} +{{ with getv "/virtual/transport" }}postconf virtual_transport='{{.}}'{{ end }} postconf -M spamfilter/unix | grep -q spamfilter || { postconf -M spamfilter/unix="spamfilter unix - n n - - pipe" diff --git a/confd/templates/setup_milter.tmpl b/confd/templates/setup_milter.tmpl index 42d57c8..7b3765c 100644 --- a/confd/templates/setup_milter.tmpl +++ b/confd/templates/setup_milter.tmpl @@ -1,6 +1,6 @@ #!/bin/bash -{{ with getv "/smtpd/milters" }}postconf smtpd_milters='{{.}}'{{ end }} -{{ with getv "/non/smtpd/milters" }}postconf non_smtpd_milters='{{.}}'{{ end }} -{{ with getv "/milter/default/action" }}postconf milter_default_action='{{.}}'{{ end }} {{ with getv "/internal/mail/filter/classes" }}postconf internal_mail_filter_classes='{{.}}'{{ end }} +{{ with getv "/milter/default/action" }}postconf milter_default_action='{{.}}'{{ end }} +{{ with getv "/non/smtpd/milters" }}postconf non_smtpd_milters='{{.}}'{{ end }} +{{ with getv "/smtpd/milters" }}postconf smtpd_milters='{{.}}'{{ end }} diff --git a/confd/templates/setup_postscreen.tmpl b/confd/templates/setup_postscreen.tmpl index bfdeb93..8cabbd8 100644 --- a/confd/templates/setup_postscreen.tmpl +++ b/confd/templates/setup_postscreen.tmpl @@ -66,9 +66,9 @@ touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre # FIXME: allow un-setting options by blanking variable values {{ with getv "/postscreen/access/list" }}postconf -e postscreen_access_list='{{.}}'{{ end }} {{ with getv "/postscreen/blacklist/action" }}postconf -e postscreen_blacklist_action='{{.}}'{{ end }} -{{ with getv "/postscreen/dnsbl/sites" }}postconf -e postscreen_dnsbl_sites='{{.}}'{{ end }} -{{ with getv "/postscreen/dnsbl/reply/map" }}postconf -e postscreen_dnsbl_reply_map='{{.}}'{{ end }} {{ with getv "/postscreen/dnsbl/action" }}postconf -e postscreen_dnsbl_action='{{.}}'{{ end }} +{{ with getv "/postscreen/dnsbl/reply/map" }}postconf -e postscreen_dnsbl_reply_map='{{.}}'{{ end }} +{{ with getv "/postscreen/dnsbl/sites" }}postconf -e postscreen_dnsbl_sites='{{.}}'{{ end }} {{ with getv "/postscreen/dnsbl/threshold" }}postconf -e postscreen_dnsbl_threshold='{{.}}'{{ end }} {{ with getv "/postscreen/dnsbl/whitelist/threshold" }}postconf -e postscreen_dnsbl_whitelist_threshold='{{.}}'{{ end }} {{ with getv "/postscreen/greet/action" }}postconf -e postscreen_greet_action='{{.}}'{{ end }}